Elastic Load Balancing: Best practices for

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Elastic Load Balancing: Best practices for securing your applications

N E T 4 1 3 - R

Sathya Ramaseshan

Senior Product Manager

AWS Load Balancing

Amazon Web Services

David Ward

General Manager

AWS Load Balancing

Amazon Web Services

Related breakouts

NET407-R Get the most from Elastic Load Balancing for different workloads

Tuesday, Dec 3, 7:00 PM - 8:00 PM – Aria, Level 1 West, Bristlecone 9 Red

Wednesday, Dec 4, 8:30 AM - 9:30 AM – Bellagio, Grand Ballroom 5 Black

NET203-L Leadership session: Networking

Wednesday, Dec 4, 11:30 AM - 12:30 PM – MGM, Level 3, Premier Ballroom 309


Build secure applications with NLB

Amazon ECS

Instances

VPC

Users Network Load

Balancer

Private subnetPublic subnet

Control traffic in/out of your load balancer and targets

Amazon ECS

Instances

NACL

VPC

Users Network Load

Balancer


Security group

Enable layer 3/4 protection seamlessly

Amazon ECS

Instances

VPC

AWS

ShieldUsers Network Load

Balancer


Security group

NACL

Offload TLS to encrypt traffic to your application

ACM

Amazon ECS

Instances

VPC

IAM

AWS

ShieldUsers

TLS

Network Load

Balancer


TLS

Security group

NACL

Analyze your traffic patterns using access logs

ACM

Amazon Simple

Storage Service

(Amazon S3)

Amazon

Athena

Amazon

QuickSightAmazon ECS

Instances

VPC

IAM

AWS

ShieldUsers

TLS

Network Load

Balancer


TLS

Security group

TLS

NACL

Example TLS Access logs dashboard from QuickSight

Meet your application’s compliance requirements

ACM

Amazon S3 Athena

Amazon

QuickSightAmazon ECS

Instances

VPC

IAM

AWS

CloudTrail

AWS

Config

AWS

ShieldUsers

TLS

Network Load

Balancer


TLS

Security group

TLS

NACL


Build secure applications with ALB

AWS Lambda

Amazon ECS

Instances

VPC

Users Application

Load Balancer

Private subnet

Public subnet

Control traffic in/out of your load balancer and targets

AWS Lambda

Amazon ECS

Instances

VPC

Users Application

Load Balancer

Security group

Security group

Private subnet

Public subnet

Enable layer 3/4 protection seamlessly

AWS Lambda

Amazon ECS

Instances

VPC

AWS ShieldUsers Application

Load Balancer

Security group

Security group

Private subnet

Public subnet

Offload TLS to encrypt traffic to your application

ACM

AWS Lambda

Amazon ECS

Instances

VPC

IAM

AWS ShieldUsers

HTTPS

Application

Load Balancer

Security group

Security group

HTTPS

Private subnet

Public subnet

Enable layer 7 protection with AWS WAF

ACM

AWS Lambda

Amazon ECS

Instances

VPC

IAM

AWS ShieldUsers

HTTPS

Application

Load Balancer

Security group

Security group

HTTPS

Private subnet

Public subnet

AWS WAF

Simplify authenticating users’ access to your application

ACM

Amazon Cognito

AWS Lambda

Amazon ECS

Instances

VPC

IAM

AWS ShieldUsers

HTTPS

Application

Load Balancer

Security group

Security group

HTTPS

Private subnet

Public subnet

AWS WAF

HTTPS

Analyze your traffic patterns using access logs

ACM

Amazon S3 Athena

Amazon

QuickSight

Amazon Cognito

AWS Lambda

Amazon ECS

Instances

VPC

IAM

AWS ShieldUsers

HTTPS

Application

Load Balancer

Security group

Security group

HTTPS

Private subnet

Public subnet

AWS WAF

HTTPS

HTTPS

Meet your application’s compliance requirements

ACM

Amazon S3 Athena

Amazon

QuickSight

Amazon Cognito

AWS Lambda

Amazon ECS

Instances

VPC

IAM

CloudTrail AWS Config

AWS ShieldUsers

HTTPS

Application

Load Balancer

Security group

Security group

HTTPS

Private subnet

Public subnet

AWS WAF

HTTPS

HTTPS


TLS features on NLB/ALB

Features NLB ALB

Source IP preservation Yes Yes – XFF header

Predefined policies Yes Yes

SNI Yes Yes

ALPN No Yes – Client to ALB

Session resumption Tickets (Regional) Tickets and session ID

RSA Certs > 2K No Yes

EC Certs No Yes – IAM only

TLS to target Yes Yes

Considerations to determine TLS settings

Types of clients

Types of targets

Compliance needs

Number of applications behind load balancer


Authentication in ALB

Secure authentication and single sign-on experience across your applications

ALB implements the role of a “Relying Party" as defined by the OpenID Connect spec

Support for authorization code grant flow

Native integration with any OIDC supported IdP

Seamless integration with Amazon Cognito

Authenticate with corporate identities using SAML, LDAP, Microsoft AD, or OIDC

Authenticate with federated identities based on public IDPs (Facebook, Google, Amazon, Okta)

Implemented through listener rules that simplifies authorization in the backends

Authentication workflow in ALB

Auth

endpoint

Token

endpointUser_info

endpoint

Rule IF:(Host and/or Path) THEN: AUTH/Redirect/Block/Forward

1 https://mysite.com/video Auth (OIDC parameters), forward (TG)

1

2

3

4

56 7

ALB9

8

11

10

1) User sends HTTPS request to a website

hosted behind Auth enabled ALB

2) ALB checks for Auth session cookie and

redirects the user to IdP if it is missing

3) After authenticating with IdP, user is

redirected back to ALB with

authorization CODE

4) ALB authenticates the CODE and sends

to token endpoint

5) Token endpoint exchanges CODE for ID

token, Access Token

6) ALB sends Access Token to user_info

endpoint

7) User_info endpoint exchanges Access

Token for user claims

8) ALB redirects the user with

AWSELBAuthSessionCookie to original

URI

9) ALB validates cookie and forwards user

info to targets in the “X-AMZN-OIDC-*”

HTTP headers set

10) Target sends response back to ALB

11) ALB sends final response to user

Identity Provider (IdP)


Free digital courses cover topics related to networking and content delivery, including Introduction to Amazon CloudFront and Introduction to Amazon VPC

Visit aws.amazon.com/training/paths-specialty

Validate expertise with the AWS Certified Advanced Networking - Specialty exam

Learn networking with AWS Training and CertificationResources created by the experts at AWS to help you build and validate networking skills

Thank you!





TLS on ALB/NLB

Makes client-to-server communication thru load balancer secure by default

Application data is encrypted in transit

Improved PCI compliance

Fleets patched to handle zero day vulnerabilities

Visibility through metrics and access logs




Amazon Cognito configuration

[{"Type": "authenticate-cognito","AuthenticateCognitoConfig": {

"UserPoolArn": "arn:aws:cognito-idp:region-code:account-id:userpool/user-pool-id","UserPoolClientId":"abcdefghijklmnopqrstuvwxyz123456789", //ID of the Amazon Cognito user pool client"UserPoolDomain": "userPoolDomain1", //Domain prefix or FQDN of Amazon Cognito user pool"SessionCookieName": "my-cookie", //Configure ALB Authentication Cookie Name"SessionTimeout": 3600, //Configure ALB Authentication session length (1s – 7days)"Scope": “openid", //Set of user claims requested from IDP. Must include ID token"AuthenticationRequestExtraParams": { //Query Params (String-to-String) to include in redirect to IDP

"display": "page","prompt": "login"

}, "OnUnauthenticatedRequest": "deny | allow | authenticate" //Behavior on Unauthenticated Requests

}, "Order": 1

}, {

"Type": "forward","TargetGroupArn": "arn:aws:elasticloadbalancing:region-code:account-id:targetgroup/target-group-name/target-group-id","Order": 2

}]

Native OIDC configuration

[{ "Type": "authenticate-oidc", "AuthenticateOidcConfig": {

"Issuer": "https://idp-issuer.com", //IDP Endpoint"AuthorizationEndpoint": "https://authorization-endpoint.com", //Endpoint to get Authorization Code"TokenEndpoint": "https://token-endpoint.com", //Endpoint to get ID and Access Token"UserInfoEndpoint": "https://user-info-endpoint.com", //Endpoint to get user claims"ClientId": "abcdefghijklmnopqrstuvwxyz123456789", //OAuth2.0 Client ID configured in IDP shared with ALB"ClientSecret": "123456789012345678901234567890", //OAuth2.0 Client ID configured in IDP shared with ALB"SessionCookieName": "my-cookie", //Configure ALB Authentication Cookie Name"SessionTimeout": 3600, //Configure ALB Authentication session length (1s – 7days)"Scope": “openid", //Set of user claims requested from IDP. Must include ID token"AuthenticationRequestExtraParams": { //Query Params (String-to-String) to include in redirect to IDP

"display": "page","prompt": "login"

}, "OnUnauthenticatedRequest": "deny | allow | authenticate" //Behavior on Unauthenticated Requests

}, "Order": 1

}, {

"Type": "forward", "TargetGroupArn": "arn:aws:elasticloadbalancing:region-code:account-id:targetgroup/target-group-name/target-group-id","Order": 2

}]

Info Received in HTTP Headers by Backends

➢ x-amzn-oidc-accesstoken: Access token from the token endpoint (plain text)

➢ x-amzn-oidc-identity: Subject field from the user info endpoint (plain text)

➢ x-amzn-oidc-data: User claims in JWT format (base64 URL encoded)

• Header

• Payload{ "sub": "1234567890", "name": "name", "email": "[email protected]", ... }

{ "alg": "algorithm", "kid": "12345678-1234-1234-1234-123456789012", "signer": "arn:aws:elasticloadbalancing:region-code:account-id:loadbalancer/app/load-balancer-name/load-balancer-id", "iss": "url", "client": "client-id","exp": "expiration“}


Monitoring using load balancer access logs

Access logs are pushed every 5 minutes to configured S3 bucket

Access logs are encrypted in transit to Amazon S3 and can be encrypted at rest

Athena can be used to query access logs to understand traffic patterns

Amazon QuickSight can be used to create dashboards for TLS vs. non TLS traffic, certificates/ciphers used, and assessing session resumption


Examining your load balancer activity

Using resource and tag-based permission to implement fine-grained access controls on load balancer resources using AWS Identity and Access Management (IAM) policies

Integration with CloudTrail enables capture of all API calls made to the load balancers to create a record of actions taken by a user, role, or an AWS service

Integration with AWS Config captures changes to load balancer configurations and notifies account owners

Documents

Elastic Load Balancing: Best practices for